- Cybernews discovered that Tokee’s unprotected MongoDB exposed the data of around 1.2 million users
- The leak included names, phone numbers, avatars, device tokens, identifiers, activity logs, and account status; chat logs were encrypted
- Deucetek secured the database after its disclosure; no evidence of malicious access, but users warned of phishing risks
A messaging app called Tokee kept an unprotected database containing lots of sensitive information, exposing more than a million customers to anyone who knew where to look.
Security researchers from Cybernews discovered a non-password-protected MongoDB instance that contained users’ display names, phone numbers stored as numeric values, profile avatars, device tokens used for push notifications, user IDs, timestamps for account creation and update, “last seen” activity indicators, and account status indicators (e.g., premium or non-premium).
Further investigation determined that the database belonged to a company called Deucetek, a US-based software company developing the Tokee messaging app.
Lock archives
Tokee isn’t as popular as WhatsApp or Telegram, but it still has a strong user base. On the Android platform alone, it has over a million downloads (Apple’s App Store doesn’t show download numbers) – but Cybernews said the leak revealed about 1.2 million users, “which is likely the vast majority of the app’s user base,” he said.
Chat logs were also stored in the same database, but they were encrypted and therefore at no immediate risk. If someone had enough computing power, the encryption could be cracked, but at the moment it’s not really profitable. However, the database contains a lot of unencrypted information that could cause serious damage:
“Although user chat messages stored in the same infrastructure appear to be encrypted using password-based OpenSSL encryption, the exposed personal data alone presents significant privacy, security, and regulatory risks,” the Cybernews team said.
Following a responsible disclosure, Deucetek locked the database. The researchers said there was no evidence that the data had been discovered by malicious actors in the past, and it did not appear to have been found on the dark web. Therefore, users are advised to be careful with incoming messages, especially those claiming to be from Tokee or Deucetek.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
